Zhu LH, Zheng BK, Shen M et al. Data security and privacy in system: A survey. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 35(4): 843–862 July 2020. DOI 10.1007/s11390-020-9638-7

Data Security and Privacy in Bitcoin System: A Survey

Lie-Huang Zhu1, Member, CCF, IEEE, Bao-Kun Zheng1,2, Meng Shen1,3,∗, Member, CCF, IEEE, Feng Gao1 Hong-Yu Li1, and Ke-Xin Shi1

1School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China 2School of Information Management for Law, China University of Political Science and Law, Beijing 102249, China 3Key Laboratory of Information Network Security, Ministry of Public Security, Shanghai 201204, China

E-mail: [email protected]; [email protected]; [email protected]; [email protected] E-mail: [email protected]; [email protected]

Received April 16, 2019; revised April 8, 2020.

Abstract To date, bitcoin has been the most successful application of technology and has received considerable attention from both industry and academia. Bitcoin is an electronic payment system based on rather than on credit. Regardless of whether people are in the same city or country, bitcoin can be sent by any one person to any other person when they reach an agreement. The market value of bitcoin has been rising since its advent in 2009, and its current market value is US160 billion. Since its development, bitcoin itself has exposed many problems and is facing challenges from all the sectors of society; therefore, adversaries may use bitcoin’s weakness to make considerable profits. This survey presents an overview and detailed investigation of data security and privacy in bitcoin system. We examine the studies in the literature/Web in two categories: 1) analyses of the attacks to the privacy, availability, and consistency of bitcoin data and 2) summaries of the countermeasures for bitcoin data security. Based on the literature/Web, we list and describe the research methods and results for the two categories. We compare the performance of these methods and illustrate the relationship between the performance and the methods. Moreover, we present several important open research directions to identify the follow-up studies in this area.

Keywords security, privacy, bitcoin, availability, consistency

1 Introduction The underlying technology of bitcoin is blockchain. The blockchain technology combines multiple computer Bitcoin○1 is a distributed electronic payment sys- technologies such as encryption, distributed storage, tem developed by a scholar named Satoshi Nakamoto. consensus, and peer-to-peer (P2P) network [1]. These Since its invention, many merchants have increasingly key technologies make blockchain open, secure, and expressed their willingness to accept bitcoin as a pay- ment method. Currently, 14 355 merchants across the trustworthy. Moreover, these techniques allow trans- globe are already using bitcoin○2 , and the market value actions to be continuously linked to blockchain, which of bitcoin continues to rise with the current market records all transactions and historical data by estab- value at US160 billion○3 . Consequently, bitcoin has had lishing a jointly maintained and untampered database. a major economic and technological impact worldwide. Internet users who are unaware of one another can reach

Survey This work was supported by the Key-Area Research and Development Program of Guangdong Province of China under Grant No. 2019B010137003, the National Natural Science Foundation of China under Grant Nos. U1836212, 61972039, 61872041, 61602039 and 61871037, the Beijing Natural Science Foundation of China under Grant No. 4192050, the Key Laboratory of Information Network Security, Ministry of Public Security, and the Pre-Study Foundation of Weapons and Equipment under Grant No. 31511020401. ∗Corresponding Author ○1 Nakamoto S. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf, Apr. 2019. ○2 NewsBTC. Coinmap’s heat map shows places that accepts Bitcoin. https://www.investopedia.com, Jun. 2019. ○3 Golden finance. Market value. https://www.jinse.com/coin/bitcoin, Jun. 2019. ©Institute of Computing Technology, Chinese Academy of Sciences 2020 844 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4 a credit agreement through a point-to-point ledger or consistency. Data privacy attacks include the threats digital encryption without any central trust [2]. There- of transaction and identity privacy; data availability fore, blockchain has attracted considerable research at- attacks include the threats brought by network trace- tention from various industries [3–11]○4 ○5 . ability and eclipse attacks; data consistency attacks in- The security of bitcoin data, which is the funda- clude the threats caused by double spending, selfish mental enabling factor of bitcoin, is particularly im- mining, and block withholding attacks. Accordingly, portant along with its future development. Adver- we present the corresponding countermeasures because saries currently use blockchain’s characteristics to con- of the threats for each type of attacks. duct various attacks on bitcoin data. First, the open- Our primary contributions are listed as below. ness of bitcoin data exposes users’ privacy. Adversaries • We present an overview and detailed investigation can define the relationship among addresses through of data security and privacy in the bitcoin system. transactions [12]. Second, adversaries initiate abnor- • We examine the studies in the literature/Web in mal or incorrect access to bitcoin data via the bitcoin two categories: 1) analyses of the attacks to the pri- network, which undermines the availability of bitcoin vacy, availability, and consistency of bitcoin data and data. A bitcoin address can be associated with an 2) summaries of the countermeasures for bitcoin data Internet protocol (IP) address; therefore, adversaries security. can track the correspondence among addresses, users, • Based on the literature/Web, we list and describe and real identities [13, 14]. Third, bitcoin data will be the research methods and results for the two categories. inconsistent if an adversary passes an attack on the We compare the performance of these methods and il- blockchain consensus mechanism or discards confirmed lustrate the relationship between the performance and blocks from the blockchain to make bitcoin data incon- the methods. sistent. Furthermore, bitcoin is vulnerable to selfish • We discuss research hotspots and present future mining attacks [15–17], which undermine the consistency research directions. of bitcoin data. In addition to these problems, many The rest of this study is presented as follows. In other security threats have been associated with bitcoin Section 2, we introduce an overview of bitcoin. In Sec- such as attacks [15] and miner attacks [18]. tion 3, we introduce the attack classification. In Sec- These threats significantly affect the security of bitcoin tion 4 and Section 5, we list and describe research meth- data, thereby threatening the related blockchain appli- ods and results for the attacks and the corresponding cations. countermeasures respectively. We compare the perfor- Recently, some surveys about bitcoin or blockchain mance of these methods and illustrate the relationship security have been conducted. Saad et al. [19] intro- between the performance and the methods. In Sec- duced the attacks of the public blockchain from the tion 6, we present the research directions for the fu- perspective of encryption, distribution, and applica- ture. Finally, in Section 7, we provide a summary of tion. Conti et al. [20] presented a survey on the se- our survey. curity and privacy of bitcoin. Li et al. [21] summa- rized some cases of attacks against blockchain 1.0 and 2 Overview of Bitcoin 2.0. Gervais et al. [22] surveyed the security and ad- Bitcoin implements transactions through addresses. versarial strategies of (PoW); however, The address is not associated with the user’s identity. these studies lack systematic description and catego- Each user may have multiple addresses, which can en- rization of threats and countermeasures. Because of sure better anonymity if different bitcoin addresses are the rapid development of bitcoin and blockchain, many used for each receiving transaction. new threats and countermeasures have emerged; there- fore, up-to-date research is required to meet the require- 2.1 Underlying Technology for ments of blockchain development. Our study summarizes and analyzes the security Blockchain is the underlying technology for imple- and privacy of bitcoin data. We present the attacks and menting bitcoins; it was originally a unique method for defenses of bitcoin in terms of privacy, availability, and storing data in . Moreover, blockchain

○4 Burniske C, White A. Bitcoin: Ringing the bell for a new asset class. https://research.ark-invest.com/hubfs/1 Download Fil- es ARK-Invest/White Papers/Bitcoin-Ringing-The-Bell-For-A-New-Asset-Class.pdf, Apr. 2019. ○5 Gartner. Top 10 strategic technology trends for 2017. http://www.gartner.com/technology/topics/trends.jsp, Apr. 2019. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 845 is a self-referencing data structure that stores a large • The incentive layer sets up incentives to reward amount of transaction information. Each record is users, who participate in the consensus, to encourage linked from the back to the front; thus, the blockchain is more users to participate in the consensus and improve open and transparent, cannot be tampered, and can be the system’s security. For example, in bitcoin, the easily traced. Furthermore, this feature directly reflects nodes participating in the accounting are called min- the bitcoin characteristics; hence, using the blockchain ers, and those who successfully obtain billing rights will technology can properly summarize the technical im- receive a bitcoin as a reward. plementation behind . • The consensus layer guarantees that the global ledger maintained by all legal nodes of the blockchain 2.1.1 Blockchain Architecture system is the same. The consensus mechanism for bit- Fig.1 shows the blockchain architecture that in- coin is PoW. • cludes the application layer, contract layer, incentive The network layer is to ensure that the blockchain nodes can effectively communicate over a P2P network. layer, consensus layer, network layer, and data layer [23]. The main contents include the networking mode of the The contents of each layer are as follows. blockchain network and the communication mechanism between the nodes. • The data layer encapsulates the chain structure, Collective Security data blocks, encryption techniques, and time stamping Timing Data Decentralization MaintenanceProgrammabilityand Trust techniques. Moreover, it implements the core business Application Layer of the blockchain, i.e., a reliable and credible data trans- fer between two addresses. Contract Layer 2.1.2 Blockchain Characteristics Incentive Layer The technical architecture of the blockchain de-

Transaction termines that the blockchain has the following Consensus Layer characteristics [23]. • Decentralization. The storage, transmission, and Network Layer verification of the blockchain data are based on the dis- tributed system architecture. The whole network does Data Layer not rely on a centralized hardware and management Fig.1. Blockchain architecture [23]. structure as a deployment mode of the blockchain. All participating nodes in the public chain network can • The application layer implements the interaction have equal rights and obligations. between the user and the application scenario. Typical • Timing Data. The blockchain technique requires blockchain applications include , data that the node receiving the accounting rights must have deposit, and energy applications. a timestamp in the current data block header to label • The contract layer encapsulates the logic code that the block data write time; therefore, the blocks on the can be stored and executed on the blockchain. The con- blockchain are arranged in a chronological order. tract code is stored in the script file of the transaction, • Collective Maintenance. Each blockchain node and the code will run permanently once the transaction monitors the data and new blocks broadcast in the is written to the block. The execution of the contract blockchain network. The node that receives the data requires external triggering, and all blockchain verifica- sent by the neighbor first verifies the data validity. If tion nodes will verify the contract logic and write the the data is valid, the storage pool is established for execution result to the blockchain. Compared with the the new data, and the valid data not recorded in the traditional code, smart contracts have the advantages temporary storage block is continuously transferred to of logical disclosure and transparency of the execution the adjacent node. Instead, the data will be discarded process; moreover, they have a high credibility. In bit- immediately. coin, a contract is a script in a transaction that is used • Programmability. The blockchain provides a user- to implement complex services such as delayed trans- programmable scripting system that considerably in- actions and conditional transactions. creases the flexibility of the blockchain applications. In 846 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4 bitcoin, the script is not very mature and is used for private key. The above description is the role that bit- trading purposes. coin wallets play in the bitcoin system. • Security and Trust. The blockchain uses asymmet- ric encryption to encrypt data. The computing power Random which is provided by blockchain network is very power- Number ful; hence, tampering with the data in the blockchain Private Key requires much power, equipment, and other costs.

SECP256K1 2.2 Bitcoin Address

[1] Public Key The bitcoin address can be obtained by a pub- Elliptic Curve Multiplication Hash Function lic key using a one-way cryptographic hash algorithm, - (One -Way) (One Way) which receives an input of any length to produce a fin- SHA256 Bitcoin gerprint or hash. Encrypted hash algorithms (SHA) [1], Private Public Key Key Address such as bitcoin addresses, script addresses, and PoW RIPEMD160 algorithms in mining, are extensively used in bitcoin. The algorithms used to generate the bitcoin address Public Key Hash from the public key are the secure hash algorithms Base58Check and the Race Integrity Primitives Evaluation Mes- Code sage Digest (RIPEMD) [1], particularly SHA256 and RIPEMD160. Taking the public key K as input and Bitcoin Address calculating its SHA256 hash value, which then calcu- Fig.2. Bitcoin address generation process schematic. lates the RIPEMD160 hash value with this result to ob- tain a number of 160 bits. In formula A = RIPEMD160 Currently, secure bitcoin storage methods include (SHA256(K)), K is the public key and A is the gene- full-node wallets, hardware wallets, hierarchical deter- rated bitcoin address, which is different from the pub- ministic wallets, multi-signature wallets, and more. A lic key. Fig.2 shows the specific generation process. full node [1] maintains all of the blockchain data and The bitcoin address that users see is usually encoded synchronizes all transaction data of the bitcoin net- by Base58Check [1]. This code uses 58 characters and work. A hardware wallet [1] is an offline store of private checksums to improve readability, avoid ambiguity, and keys that contains an offline part that can determine effectively prevent errors in address transcription and whether a transaction is signed or not. The hierar- input. chical deterministic wallet [1] uses a random number to generate a master private key, and then the master pri- 2.3 Bitcoin Wallet vate key generates a series of sub-private keys. This process is irreversible and can implement permission Bitcoin wallet is a container for storing and manag- control management. Signature wallet [1] requires m-of- ing bitcoin private keys [1]. Unlike traditional wallets, n signatures to achieve multiple private keys and user bitcoin wallets do not store bitcoin but store public and control management. Due to a large amount of data private key pairs corresponding to bitcoin. The users in the blockchain, the full-node wallet severely limits use the private key to sign transactions and use the pub- the usage scenarios of ordinary users. Therefore, many lic key to generate the address to receive the sender’s bitcoin wallet clients are currently adopting the simpli- bitcoin. During the use of bitcoin, the control of the bit- fied payment verification (SPV) mode. The SPV wal- coin is established by the private key, bitcoin address, let only maintains the local address related blockchain and digital signature. The bitcoin address can be gene- data, verifying the legality of the transaction by re- rated by the public key, the public key is derived from questing a full node. the private key, and the digital signature can only be generated by the private key. Therefore, if the bitcoin 2.4 Bitcoin Transaction private key is mastered, the right to use the bitcoin is obtained. Because the private key is very important A bitcoin transaction [1] is the transfer of bitcoin in the bitcoin system, dedicated hardware and software from one user’s wallet to another. Note that ev- are needed to protect the secure and orderly use of the ery transaction performed through bitcoin is traceable. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 847

One transaction input address is derived from the previ- • The communication to maintain a connection be- ous transaction output, and the transaction output ad- tween a node and a blockchain network usually in- dress is used as other transaction input to form a trans- volves requesting someone else’s address information action chain. Analysts can obtain any use of funds and and broadcasting their own address information (the related transactions for any blockchain address based address information refers to the IP address and port on the chain relationship between transactions. number in TCP/IP). When a node newly joins the Fig.3 shows an example illustrating the simple blockchain network, it first reads the seed address hard- transaction process assuming that Alice launched trans- coded in the client program and requests its neighbor action TXA; Bob launched transaction TXB; and Mike node address from these seed nodes. It then continues launched transaction TXC. The relationship of the to search for more address information and establish transaction input and output is depicted in the figure. a connection through these addresses until the number of neighbor nodes of one node reaches a stable value. Mike : Then, the node periodically verifies the reachability of 1 4.0 BTC 2.5 BTC Alice: the neighbor nodes by pinging and replaces the un- TX A 3.0 BTC 0.5 BTC reachable nodes with new ones. Moreover, the node (Alice Change) will periodically broadcast its own address information TX C to its neighbor nodes to ensure that the information of the new node is received by more nodes. Bob: Mike2: 0.5 BTC TX B • The communication for completing the upper layer 2.0 BTC 2.0 BTC (Mike Change) service usually includes forwarding transaction infor- mation and synchronization block information (trans- Fig.3. Bitcoin transaction schematic. actions and blocks are data structures in the blockchain,

In TXA, Alice used 3.0 bitcoin (BTC) as the input which will be introduced at the data layer). The node for the transaction, where 2.5 BTC was outputted to uses the relay forwarding mode when forwarding trans- an address of Mike and 0.5 BTC was outputted to Al- action information. The originating node first forwards ice’s change address. In TXB, Bob used 2.0 BTC as the transaction to the neighboring node, and the neigh- the input for the transaction and outputted it to an- boring node then receives the transaction, forwards it other address of Mike. In TXC, the two addresses of to its neighboring node, and gradually spreads through- Mike (Mike1, Mike2) just mentioned were used as in- out the network. The sync block information adopts a put, where 4.0 BTC was sent to the address of other mode of request response. The node first sends its own users, and 0.5 BTC was outputted to Mike’s change ad- block height to the neighbor node. If it is smaller than dress. Assumed that these transactions had no trans- the neighbor node’s height, it requests the block that it action fees. lacks. If it is greater than the neighbor node’s height, the neighbor node will request the block information in 2.5 reverse. All nodes continuously exchange block infor- mation with neighbor nodes, thereby ensuring that the [1] The bitcoin network adopts the P2P networking block information of all nodes in the entire network is technology, which has the characteristics of decentral- synchronized. ized and dynamic changes. The nodes in the network are geographically dispersed but peer-to-peer servers. 2.6 Bitcoin Consensus Mechanism No central node exists and any node can freely join or exit the network. Currently, the largest blockchain The blockchain uses a consensus mechanism to en- network is the bitcoin network, which is built on the In- sure that the global ledger maintained by all legitimate ternet with the nodes from all over the world. The ave- nodes is the same [1]. Bitcoin’s consensus mechanism rage number of nodes providing services to the Internet uses PoW [1]. The PoW mechanism is to set up a mathe- is 9 000 per day, and the total number of nodes, includ- matical problem and let the participating nodes solve ing those that do not provide services, is estimated to the problem. The node that pays the maximum amount be 100 000. of computing power during the solution process will be The communication among blockchain nodes is selected as the accounting node (i.e., the node will gene- categorized into two main types. rate a new block). Other nodes update their global 848 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4 ledger by accepting this block. The problem of data forming a transaction chain. The analysts can obtain out of sync caused by multi-user billing is solved by the use of any coins and the relevant transactions of any selecting a specific user billing. address based on the chain of transactions. Potential In mining, the miners solve the mathematical prob- attackers can analyze users’ transactions and identity lem and then the first miner to solve the problem cor- privacy by analyzing transaction records. rectly gets the bookkeeping right. A bitcoin miner has only limited mining power. A group of miners can form Table 1. Classification of Bitcoin Data Attacks a pool to jointly mine and designate a bitcoin recipient Classification Subclass Reference who is also the administrator of the mining pool. Re- Data privacy Transaction privacy [12, 24, 25] attacks attacks gardless of whoever discovered a valid block, the mining Identity privacy attacks [12, 24–30] pool manager will receive a reward for the block, which, Data availability Network traceability [13, 14, 31–33] in turn, will be distributed to all pool participants based attacks attacks Eclipse attacks [14, 34–36] on the amount of work contributed by each participant. Data consistency Double-spending attacks [36–40] The mining pool administrator, of course, may be its attacks Selfish mining attacks [17, 41–44] part as a revenue from the mining management service. Block withholding [17, 18, 41, 45, 46] However, such a consensus mechanism will waste attacks much computing power. Moreover, the right of charge to an account will gradually be monopolized by users 4.1.1 Transaction Privacy Attacks with a large computing power (e.g., mining pools), The transaction input comes from the output of an- which leads to multiple security problems. other transaction. Analysts can obtain the following information based on the bitcoin of transactions. 3 Classification of Bitcoin Data Attacks • Use of Bitcoin. The bitcoin comes from the min- ing process, which is first recorded in the miners’ mining As previously mentioned, the security and privacy address and then transferred to other addresses. Both of bitcoin data is mainly divided into three aspects: pri- mining and transaction information will be recorded in vacy, availability, and consistency. the global ledger; therefore, an attacker can acquire all Definition 1 (Data Privacy Attack). It refers to transactions of any bitcoin by analyzing these public data leakage or data obtained by attackers through ana- data. lysis. • Bitcoin Addresses. Each blockchain transaction Definition 2 (Data Availability Attack). It refers details the information of all the input and output ad- to abnormal or incorrect access to the bitcoin data via dresses. bitcoin network to undermine the availability of the bit- Therefore, analysts can obtain the following infor- coin data. mation. Definition 3 It refers (Data Consistency Attack). • Finding Bitcoin Relations Between Different Ad- to passing an attack on the blockchain consensus mecha- dresses. The transfer of the coins between accounts nism or discarding confirmed blocks from the blockchain reflects the relationship between accounts. Reid and to make the bitcoin data inconsistent. Harrigan [12] analyzed the accounts published by Wiki- Each aspect contains several attacks in Table 1. We Leaks and tallied the balances, bitcoin sources, and present the threats of transaction and identity privacy flows of the bitcoin addresses published on the Wik- in the data privacy attack, those caused by network 6 iLeaks website○. Moreover, they analyzed a stolen ad- traceability and eclipse attack in the data availability dress in bitcoin and found the five closest addresses to attack, and those brought by double spending, mining the theft address, thus revealing the pre- and post-theft pool, and miner attacks in the data consistency attack. bitcoin flows. • Tracking Special Transactions. The analysts can 4 Bitcoin Data Attacks monitor the transaction information of special transac- 4.1 Data Privacy Attacks tions involving large or suspected malicious acts such as theft, and further trace the flow of bitcoins through In bitcoin, every transaction is traceable. A transac- a continuous observation. Liao et al. [24] showed the at- tion output is the input to another transaction, thereby tack of CryptoLocker that extorts bitcoin by encrypting

○6 WikiLeaks. http://www.wikipedia.org, Apr. 2019. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 849 the victim’s files. They studied the relation transac- proposed a clustering process for bitcoin transaction tions of public bitcoin ransomware addresses. A total data. Based on the analysis of 35587286 addresses in of 968 addresses that belong to the organization were the global ledger of bitcoin, 13 062 822 different users found, and ransom transactions that are worth 1128.40 exist. BTC were identified. This information assists in deter- Bitcoin transaction information can be used to spec- mining the identity of the criminals. ulate on identity privacy. • The rule of transactions can reveal the relation- • Transaction Characteristics. Usually, the transac- ship between transactions. Ron and Shamir [25] focused tion characteristics are related to the actual transaction on the transactions statistics and traced 364 transac- processes. Many transaction behaviors have their own tions more than 50 000 BTC. Moreover, they studied characteristics in daily life [26]. For example, transac- the transaction rules for a transaction of 90000 BTC. tions at breakfast stores often occur in the morning, Consequently, they found that large transactions used and the transaction amount is set to 1–20 coins. The various methods to disperse bitcoins to different ad- gas station transaction time is an average; however, the dresses. These transaction modes include long chains, transaction amount is concentrated in a few specific val- fork-merge patterns, and self-loops patterns. ues (i.e., 100 coins, 200 coins, or full price). Note that changes based on the change of oil price have a universal 4.1.2 Identity Privacy Attacks regularity. The bitcoin architecture can be revealed as follows. • Transaction Rules. Each user has a different trans- • Multiple input addresses belong to the same per- action behavior. Monaco [27] analyzed the transaction son or organization. Multiple input transactions are parameters, and then proposed a method based on initiated by the same user because each input in a multi- parameter identification. input transaction requires a separate signature [12, 24, 25]. • Multiple output addresses in the same Coinbase○7 4.2 Data Availability Attacks transaction belong to the same user set. Many miners want to increase their income by joining one mining The main threat of data availability is to make ab- pool where they participate in collective mining. All normal or incorrect access to bitcoin data. miner addresses involved in mining are recorded as the 4.2.1 Network Traceability Attacks Coinbase transaction output. • Input addresses and the change address belong to In the bitcoin network, IP address, topology, and the same user. The change address is generated by the transmission information can be obtained by attack- bitcoin system, which saves the change bitcoins in one ers. An analyst can analyze the user identity privacy transaction○8 . The features of the change address in- based on this information. Each network node is con- clude the following: the status of the output address is nected to many other nodes via the P2P network, and usually only once; the change address only belongs to the connection relationship between these nodes can be the transaction input or output in one transaction; and analyzed [47]○10 . only the change address cannot appear in the output The transaction traceability is used to estimate the address. transaction propagation path according to the time or- Analysts can discover the correlation between diffe- der that the different nodes send the transaction to ar- rent addresses and reduce the anonymity of blockchain rive at the probe shown in Fig.4. Ideally, the originat- addresses using the bitcoin’s design. Meiklejohn et ing node is the earliest to arrive at the probe, and the al. [28] used heuristic analysis to analyze the transaction order of the next n-th neighboring nodes arriving at data in the blockchain to identify the same user’s diffe- the probe will increase with the distance. In the actual rent addresses. They analyzed the public addresses of environment, the time order of different nodes’ trans- Silk Road○9 and those associated with some theft cases mitted transactions arriving at the probes is affected and found many related addresses. Zhao and Guan [29] by many factors such as network delay and delay trans-

○7 Bitcoin community. Coinbase. https://en.bitcoin.it/wiki/Coinbase, Apr. 2019. ○8 8BTC. Change. http://8btc.com/article-2027-1.html, Apr. 2019. ○9 https://en.wikipedia.org/wiki/Silk Road, June 2020. ○10 Andrew M. Discovering Bitcoin’s public topology and influential nodes. http://cs.umd.edu/projects/coinscope/coinscope.pdf, Apr. 2019. 850 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4

Monitored Link Second Forwarding Connected Path First Forwarding Third Forwarding

Probe Node Transaction Propagation Path

... Server Ĺ

ĸ

ķ ĸ ĸ ĸ

ķ ķ Neighbor Node Victim Node Neighbor Node Fig.4. Transaction traceability mechanism. mitting strategy. Moreover, the transactions transmit- with the originating node’s IP address, thereby helping tal by the long-distance nodes may arrive earlier. We identify the identity information of the malicious trader will consider herein various influencing factors and cal- and analyze the flow of the bitcoin funds. culate the trading order accuracy to accurately analyze The network traceability technology is to analyze the matching degree of transaction ranking and node the transaction information transmitted by the bitcoin network topology. network, locate the propagation path of a specific trans- The network traceability technology uses the collec- action, and infer the origin node of the transaction. tion of the bitcoin network transmissions of information Koshy et al. [13] analyzed the patterns of bitcoin to analyze the transmission path of bitcoin transactions transactions in the network and found that we can in the network. It then tracks the transaction-generated search for the origin node using the special transaction server IP information. This technology can directly mode. For example, a transaction that is transmitted contact an anonymous transaction via the trade origi- only by one node is usually caused by a problem with nating node’s IP address to permit traceability. How- the transaction format. This transaction is then trans- ever, the existing network traceability technology has a mitted only once by the originating node; however, the low accuracy and generally needs additional computing effect of this method is limited because of the small and storage resources; therefore, it is less practical. proportion of all transactions in the special transaction Bitcoin users can make double-sided transactions mode (less than 9% of the special transactions in the of bitcoin tokens by creating bitcoin transactions with paper trial). other users on servers anywhere in the world [31–33]. The Biryukov et al. [14] analyzed the transaction trace- transaction does not require the participation of the ability using neighbor nodes. Consequently, the trace- third parties, and the addresses used by both parties in ability accuracy can be improved using the neighbor the transaction are anonymous; hence, the real identity nodes as the basis for judgment. However, the solution of the bitcoin traders is hard to find. must continuously send information to all the nodes in The transaction traceability technology desires to the bitcoin network, which may cause a serious inter- track the transmission path of bitcoin transactions in ference to the bitcoin network, and is less practical. the network to determine the originating node of a 4.2.2 Eclipse Attacks transaction, which is the first server node of the trans- action in the bitcoin network. The anonymous account Heilman et al. [34] described the eclipse attack, which number in the transaction can be associated with the exploits the broadcast features of P2P networks to at- user identity once a bitcoin transaction is associated tack. The attacker controls the reception and transmis- Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 851 sion of all information of the victim node, causing the stored in the tried table, and the addresses contained victim node’s inbound connection to the illegal node. in the ADDR message can be directly inserted into the The attack node maliciously fills the victim node’s new table. The nodes will not test the addresses’ con- routing table before the victim node of the blockchain nectivity. Therefore, when the attack nodes are con- restarts, thus forcing the victim node to restart and nected to the victim node through the attack addresses, establish an outgoing connection with the attack ad- the attack node can send an ADDR message containing dress in the routing table [34, 35]. Moreover, the attack a lot of “trash” IP addresses that will gradually over- node continuously establishes an incoming connection write all the legal addresses of the new table. The nodes with the victim node. The channel of the monopolis- rarely obtain network information from their neighbor tic victim node is eventually reached, and the purpose nodes and DNS seeders. Thus, when an attacker over- of its information flow is controlled such that it can only receive useless or even malicious information sent writes the tried and new tables of the victim node, the by the attack node. The attack node can control the victim node almost never verifies its authenticity by blockchain channel and information flow of more nodes querying a legitimate peer or sower. and gradually control most of the blockchain networks • Restarting the Victim. The victim node will if it can successfully implement eclipse attacks on more be restarted by the eclipse attack. After the node nodes. Attackers can even launch 51% attacks and dou- is restarted, the victim node can be connected to ble spending attacks on this basis, thereby causing more the attack addresses. The reasons for the bitcoin serious consequences. node’s restart include ISP shutdown, machine shut- The eclipse attack process is usually divided into down, and operating system upgrade of the mining four steps shown in Fig.5. machine [14, 36]○11 −○13 . • Selecting Outgoing Connections. After the vic- Control Multiple Attack Addresses tim node is restarted, all connections fail if the address is selected from the new table to establish an outgo- ing connection. Therefore, the victim node is forced to Create Incoming Connections Periodically pick only the addresses from the tried table. The vic- tim node prefers to select the updated addresses; thus, all the outgoing connections of the victim node are con- Send ADDR Message nected to the attack addresses. to Victim Nodes • Monopolizing the Eclipsed Victim. If the above at- tack is successful, the attacker must control all incoming Restart Victim Nodes connections to the victim node to truly monopolize the victim node. The eclipse attack will cause other attacks. Table 2 Reselect the Outgoing Monopolize the shows the main attacks. These attacks will be described Node Eclipsed Victim in detail in Section 5.

Successful Attack 4.3 Data Consistency Attacks

Fig.5. Eclipse attack flow. Data consistency attacks refer to passing an attack • Populating Tried and New Tables. The blockchain on the blockchain consensus mechanism to make the node is capable of receiving the addresses of unsolicited bitcoin data inconsistent. This type primarily includes incoming connections and an unsolicited ADDR mes- double spending, selfish mining, and block withholding sage. The addresses of the incoming connections will be attacks.

○11 King L. Bitcoin hit by ‘massive’ DDoS attack as tensions rise. http://www.forbes.com/sites/leoking/2014/02/12/bitcoin-hit- by-massive-ddos-attack-as-tensions-rise/, Apr. 2019. ○12 Forum B. Bug bounty requested: 10 BTC for huge dos bug in all current bitcoin clients. https://bitcointalk.org, Apr. 2019. ○13 CVE. CVE-2013-5700: Remote P2P crash via bloom filters. https://en.bitcoin.it/wiki/Common Vulnerabilities and Exposures, Apr. 2019. 852 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4

Table 2. Some Other Attacks That May Be Caused by an Eclipse Attack Reference Attack Description [36–40] Double-spending threat Using the same cryptocurrency in multiple transactions by a sender [17, 41–44] Selfish mining attack Hiding the excavated blocks to cause the chain to fork [17, 18, 41, 45, 46] Block withholding attack The attacker never submits any blocks

4.3.1 Double-Spending Attacks Transaction to Double-spending attacks refer to the use of the same Vendor TransactionVendor to cryptocurrency in multiple transactions by a sender. Attacker Vendor Bitcoin uses the PoW system, whose confirmation time Transaction to is 10 minutes between blocks. Therefore, an attacker Bitcoin Colluding Network will implement an attack in this time interval. If the at- Address tacker has a significant amount of computational power, he or she will be more likely to successfully perform the attack. Transaction to The double-spending attack is a unique attack on Attacker Colluding Address Bitcoin the bitcoin system that falls into two types. Mining Pools [39] • Attackers use the same bitcoin to trade with mul- Fig.6. Double-spending attack model . tiple users at the same time. If these trading users com- Preventing double spending attacks usually takes 10 plete the transaction without the transaction recorded minutes because of the PoW mechanism; therefore, it in the legal blockchain, the attacker achieves the goal does not apply to quick payment scenarios. Further- [36–39]○14 of double spending or even multiple spending . more, without a suitable detection mechanism, dou- Although only one transaction is considered legal and ble spending attacks can be implemented in a low-cost recorded in the blockchain in the multiple transactions manner. launched by the attacker, the transaction has been com- pleted and the attacker has benefited from the attack. 4.3.2 Selfish Mining Attacks • Attackers use their own computing power to A selfish mining attack [17] is a typical attack on launch an attack. The attacker used the same bitcoin to bitcoin. A cryptocurrency such as bitcoin requires a trade both transactions A and B with two users. Trans- high computing power to solve the cryptographic prob- action A is completed if transaction A is confirmed to be lem for a miner; thus, mining becomes very difficult. recorded in the blockchain. The attacker has a powerful Therefore, a group of miners (or mining pools) usually computing power; hence, he/she records transaction B combine with each other and share the rewards after in the private blockchain and mines a longer chain than successfully solving the password problem. This helps the legal one, prompting transaction B to be confirmed individual miners produce a more continuous and con- and completing it [40]. stant income when mining alone. Karame et al. [39] analyzed the double-spending Eyal and Sirer [17] proposed that the presence of a threat of bitcoin in the fast payment scenario. Fig.6 group of selfish miners who use selfish mining strategies shows the attack model. We assume that the attacker and succeed may invalidate the work of honest miners. A must pay BTC to a vendor V and A creates the A malicious mining pool does not publish the blocks it transaction TXV to V . A simultaneously creates an- finds and creates a fork. Therefore, some public chains other transaction TXA with the same BTC as those in- are maintained by honest miners and the private fork volved in TXV’s inputs to realize double spending. The by malicious mining pools. The fork is the longest chain successful implementation of a double spending attack in the current network; hence, it will be recognized as a must meet the three following requirements. legal chain by honest miners. Accordingly, the original • TRV is added to V ’s wallet. public chain and the honest data it contains will be dis- • TRA is confirmed in the blockchain. carded. The results of the study have shown that the • V ’s service time is less than the time when V de- selfish mining strategy will obtain more benefits. Fur- tects the wrong behavior. thermore, the analysis has illustrated that the existing

○14 Bitcoin Community. The finney attack. https://en.bitcoin.it/wiki/Weaknesses#The .22Finney.22 attack, Apr. 2019. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 853 protocol will no longer be safe if the selfish pool exceeds these pools’ income. Eyal [45] analyzed the game of min- one third of the total net. ers’ dilemmas and found a balance between the com- Courtois and Bahack [41] conducted an experimen- peting mining pools, which makes miners repeatedly tal simulation and a theoretical analysis of selfish min- choose whether or not to attack. Kwon et al. [46] ext- ing. Their results showed that the computational waste ended the BWH attack [45] and proposed a new attack of bitcoin was minimal and even decreased over time. method, known as the fork after withholding (FAW) Sapirshtein et al. [42] studied the optimal strategy of the attack. The attack uses selfish mining attacks based selfish-mining underlying model. Moreover, Nayak et on the block withholding attack. The FAW attack’s al. [43] showed that when this attack is combined with frequency is four times as often as that of the block an eclipse attack, these strategies sometimes result in a withholding attack. Their research showed that in the gain of 30% depending on different parameters. Carl- case of two pools attacking each other, the higher the sten et al. [44] proposed a more complex selfish mining computing power, the easier it is to win. strategy that led to uneven returns and exceeded de- fault mining and traditional selfish mining. Once de- 5 Bitcoin Data Security Protection ployed, the attack will be profitable and could result in 51% of attacks or consensus failures. 5.1 Data Privacy Protection

4.3.3 Block Withholding Attack A special data structure and a consensus mechanism are designed to ensure the reliability, non-falsification, [18] The block withholding attack is one of the typi- and distributed consistency of the transaction [11]. The cal attacks on bitcoin in which some malicious attack- data structure and the consensus mechanism ensure the ers who have joined the joint mining pool do not have maintenance of a uniform, high-public trust account any mining blocks, reducing the revenue of the min- in distributed untrusted network nodes; however, these ing pool and wasting the computing power provided by mechanisms also lead to privacy risks. The full ledger other miners. This type of attack is also called a sabo- leaks not only data privacy but also the relation be- tage attack. Malicious miners will usually not have any tween the traders who are behind the data and the benefit. The blocker attack will cause different losses identity privacy [12, 24–27]. Therefore, the focus of the to the miners and mining pools, and the mining pools’ data privacy protection is to hide the data and the in- loss is relatively large compared with the miners’ low formation behind it as much as possible. cost. Consequently, the block withholding attack is We classify different protection mechanisms accord- more common in competing mining pools and less com- ing to the database privacy protection classification [17] mon in miners . Fig.7 shows the block withholding methods. attack diagram. 5.1.1 Data Distortion

The blockchain ledger is public; hence, the attacker ' Miners α Miners β Miners α can find the relationship of the transaction data. The attacker can infer the transaction and the identity pri- vacy. To prevent this attack, we can adopt a method, Pool #1 Pool #2 called mixing coin [48], without changing the transaction results; however, this method adds confusion shown in Fig.8. Assume that Alice, Bob, and Mike have transac- tion addresses Alice1, Bob1, and Mike1, respectively. In the process of mixing coins, the coins are first mixed by Bitcoin Network the mixing addresses Mix1, Mix2, and Mix3 to generate Fig.7. Block withholding attack [18]. new addresses for Alice2, Bob2, and Mike2 respectively and send the coins that need to be traded to them. Courtois and Bahack [41] analyzed actual examples These coins are then outputted to these new addresses and found that the primary hazard of the malicious Alice2, Bob2, and Mike2 such that others cannot grasp miners who can profit from this attack is to waste the the source of these coins. computing resources of the mining pools and reduce The mixing coin mechanism is classified as follows. 854 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4

solves the threat posed by the centralized mixing coin. • Alice1 1 BTC Alice2 Alice 2 1 BTC Mixing Coin Scheme Based on Decentralization.

:1 The program does not depend on third-party nodes. Mix CoinJoin○19 is the original plan. CoinJoin merges mul- Mix tiple transactions into one transaction in which the re- Bob 1 1 BTC Bob 2  :1 Bob 2 1 BTC lationship of the transaction inputs and outputs can

:1 be hidden. For a multi-input and multi-output trans- Mix action, a potential attacker cannot effectively distin- Mike 1 1 BTC Mike 2 Mike 2 1 BTC guish the relation between the inputs and the out- puts by analyzing the transaction information. The Fig.8. Bitcoin mixing service [48]. idea of CoinJoin is used in many anonymous bitcoin transactions such as Dark Wallet○20 , CoinShuffle○21 , and • Mixing-Coin Scheme Based on a Central Node. JoinMarket○22 . This scheme utilizes third-party nodes for mixing coins, The CoinJoin mechanism enhances the privacy pro- and the process of mixing coins is performed at a third- tection capabilities of all users. In a digital currency party node. These methods can improve the bitcoin system, the remainder of the users uses neither this 15 − 17 security without an additional technology○ ○; how- protocol nor the original method if only a fraction of ever, its defects include the followings. the nodes uses the CoinJoin agreement. 1) Additional Charge and Mixing Coin with a Slower The CoinJoin mechanism has many defects, includ- Speed. A mixing coin service node usually charges a fee. ing the followings. The cost sharply rises as the mixes increase. The usual 1) Other users participate; hence, it also faces delay time is 48 h and the transaction costs are between threats from the other nodes. 1% and 3%. 2) The information of each node participating in the 2) Risk of Theft. In this scheme, the third-party mixing coin will be exposed to the others. node may not perform the agreement after receiving 3) The mixing coin may fail if some nodes violate the user’s coins and steal the user’s coins. The users do the rules. not have effective countermeasures. 4) The parties involved in the mixing-coin transac- 3) Mixing Process Leaked by Intermediate Nodes. tion will be recorded in the ledger. The third-party node in this scheme understands the Many scholars have proposed solutions. Ruffing et entire mixing-coin process, and the users cannot guar- al. [52] proposed a completely decentralized CoinShuf- antee that the third-party node will not leak the mixing- fle. Based on CoinJoin, the CoinShuffle scheme designs coin process information. an output address shuffling mechanism that can com- Many improvements have been made in response to plete the mixing process without a third party. It can these defects. Bonneau et al. [49] proposed an improved also ensure that the mixing-coin participant does not decentralized mixing coin that can be audited. Valenta know the relationship; however, the scheme can easily and Rowan [50] designed a blindcoin scheme that can trigger denial-of-service attacks. Bissias et al. [53] de- prevent a third party from divulging the process in- signed Xim that adopts a multi-wheel and two-square formation. Chun et al. [51] presented a blind signature mixing-coin agreement. CoinParty [54] adopts a secure scheme that uses the elliptic curve to improve privacy. multiparty computation protocol to implement an im- In 2015, Dash○18 , which is an anonymous digital coin, proved scheme that can guarantee the effectiveness of was launched. From an economic point of view, Dash the mixing-coin process in the case of a malicious ope-

○15 Bitlaunder. https://bitlaunder.com, Apr. 2019. ○16 Bitcoinfog. http://bitcoinfog.info, Apr. 2019. ○17 Blockchaininfo. https://blockchain.info, Apr. 2019. ○18 Dash. https://www.dash.org, Apr. 2019. ○19 Greg M. CoinJoin: Bitcoin privacy for the real world. https://github.com/kristovatlas/coinjoin-sudoku, Apr. 2019. ○20 Andy G. ‘Dark Wallet’ is about to make bitcoin money laundering easier than ever. https://www.wired.com/2014/04/dark- wallet, Apr. 2019. ○21 Torpey K. CoinShuffle aims to improve privacy in bitcoin. http://insidebitcoins.com, Apr. 2019. ○22 Joinmarket — Coinjoin that people will actually use. https://bitcointalk.org, Apr. 2019. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 855 ration or failure of some hybrid nodes. ○23 is a Specific transaction information must be encrypted new digital coin with the main characteristic of privacy in the blockchain. In digital currency, some protection protection. It adopts the ring signature mechanism to schemes have been presented based on encryption. realize the mixing process. Compared with the other • Monroe is an encrypted digital currency. The schemes, the mixing-coin process in Monero does not content of the transaction output address in traditional require user participation. Any user can independently digital currency includes the receiver’s public key and implement the mixing currency. Monero can effectively address information. Moreover, the observer can di- eliminate a denial-of-service attack on the decentralized rectly determine the coin destination. In Monroe, the coin scheme and assist with the problem of users’ mix- output address is the new address information obtained ing coin leakage. by the receiver’s public key and the random parameter Mixing coin is extensively used in the blockchain generated by the sender. The random parameter is digital coin, and many improvement schemes have been only mastered by the sender; therefore, the observer proposed. We compare and analyze the schemes herein cannot determine the relation between the new address and show the results in Table 3. information and the receiver. Generating different ran- 5.1.2 Data Encryption dom parameters can ensure that the output addresses of each transaction are different, and no correlation ex- An encryption mechanism is a common scheme in ists between them. The Monroe coin involves two key the field of privacy protection. By encrypting sen- sitive data, users who hold secret keys can read the technologies: the stealth address and the ring signa- data, whereas others cannot decrypt it, even if they ture. The stealth address aims to address the problem have access to the data; thus, encryption ensures data of the relevance of the input/output address. While en- privacy. In the traditional blockchain, the application suring that the recipient’s address changes every time, data is stored in plaintext and any node can access the a stealth address makes it impossible for an external data. Therefore, using encryption technology to pro- attacker to see an address connection; however, it does tect privacy in blockchain must ensure that the nodes not guarantee anonymity between the sender and the can complete transaction verification tasks on the en- receiver. Therefore, the Monroe coin developed a ring crypted data. Furthermore, the impact of the encryp- signature scheme. Fig.9 shows that whenever a sender tion mechanisms on the validation efficiency must be re- has to establish a transaction, he or she uses his or her duced because blockchain transactions must be jointly private key and a certain number of public keys selected verified by all nodes. from the other users’ public key to sign the transaction.

Table 3. Comparison of Mixing Mechanisms in Blockchain Reference Protocol Reliance on Risk of Mixing Resistance Peculiarity Third Parties Theft Coins Cost to DoS [48] Mix √ √ √ Strong The method is easy to use and is the most widely used. [49] Mixcoin √ √ √ Strong The proof can be raised to reduce the risk of theft. [50] BlindCoin √ √ √ Strong The blind signature mechanism is adopted to avoid leakage. ○24 Dash √ √ √ Strong The node that provides a mixing coin increases the cost of a violation by paying a deposit. ○25 CoinJoin N/A N/A N/A Weak No third parties are involved; hence, no risk of theft exists. [52] CoinShuffle N/A N/A N/A Weak The participants of the mixing coin do not know the details of the currency. [53] Xim N/A N/A √ Strong The method increases the difficulty of DoS attacks using a fee. [54] CoinParty N/A N/A N/A Strong The mixing process can still normally function even if some participants violate the rules using the secure multi-party com- putation. ○23 Monero N/A N/A N/A Strong No need for multilateral negotiation using the ring signature mechanism. Note: N/A: not applicable.

○23 Monero. Monero-Secure, Private, Untraceable. https://getmonero.org, Apr. 2019. ○24 Dash. https://www.dash.org, Apr. 2019. ○25 Greg M. CoinJoin: Bitcoin Privacy for the Real World. https://github.com/kristovatlas/coinjoin-sudoku, Apr. 2019. 856 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4

The user must use the other person’s public key and rency for privacy protection; however, its adoption of parameters in his or her signature. Furthermore, the the zk-SNARKs algorithm is very slow. It usually takes sender must provide the key image to provide identity a minute to generate new proof, and a bottleneck in effi- identification. Both the private and the key images are ciency has been observed. Fig.10 shows that the under- once dense to ensure they cannot be traced. lying implementation is similar to the bitcoin structure, although is constructed using zk-SNARKs’ de- centralized mixing coin pool. With the mint and pour operations, it can perform in complete anonymity. Mint

Public Key is the process by which a user writes a commitment to a list for a certain amount of cash. The promise must Private Key be a one-off serial number, and the user’s private key is calculated and irreversible. Pour is to cast a coin into Data its equivalent through a series of zero-knowledge proofs. • Similar to bitcoin, the increase in the number of Encrypted Data Zcash coins (ZEC) is based on mining. The ZEC ob- tained by a miner can be tracked and recorded; more- over, its use requires the signature of a private key. Therefore, if you directly use ZEC, since it is similar Fig.9. Ring signature. to BTC, you can directly complete the transfer in each • Zcash [55] is a new digital currency, formerly known address; however, it is currently not anonymous. The as the Zerocoin [56] project and is an improvement on commitment made by the ZEC operation is not on the Zerocoin. Zcash uses the promise function to encapsu- surface of the user address, but depends on the pub- late the source of each transaction and the amount of lic key and one one-time random number. The user several parameters while using zk-SNARKs [57] to prove must provide the serial number and a commitment in the transaction. The proof process does not need to re- the commitment list when he/she wants to spend (i.e., veal relevant information; thus, it can hide the value transfer) the ZEC. In this manner, the user can spend of the sender and even the inputs and outputs of the the ZEC without being completely exposed. The user transaction. Zcash is presently the best digital cur- can use the redemption operation to extract the ZEC

Mixed Coins Pool Based on zk -SNARKs (Untraceability)

CM 1 CM 33 CM 5 CM 7 CM=Commitment ZEC=Zcash Coins Pour

CM 22 CM 44 CM 6 CM 88

Redeem

Mint

ZEC ZEC ZEC TX mintmint ZEC TX mint ZEC TX pourpour

ZEC ZEC ZEC ZEC

Normal TX Zcash Block 1 Zcash Block 2 Zcash Block 3 Zcash Block 4

Fig.10. Zcash schematic [55]. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 857 in the pool in the so-called redemption operation. The to one node in the private blockchain. redemption is a commitment to return to a ZEC similar to the previous one, and the miner does not know which 5.2 Data Availability Protection commitment was redeemed for the ZEC. Thus, one does 5.2.1 Network Traceability Attacks Protection not have to transfer ZEC to anyone; one has to merely place a ZEC in the pool and redeem it; moreover, its The blockchain runs on a network with privacy pro- source is untraceable. tection; hence, its topology can be hidden, thereby pre- venting the exposure of identity privacy information. 5.1.3 Restricted Release Onion network (Tor) [13, 14] is one of the choices. Onion The restriction release plan aims to remove data network is an anonymous communication technology, directly related to privacy from the public database. which protects the privacy of the message sender and Compared with the previous introduction of the mix- the receiver and hides the route of the data message ing coin and encryption mechanisms, this type of meth- passing through the network. Another is Monroe, in ods is completely guaranteed to ensure the security of which the output address is the new address informa- privacy data. However, this approach has additional re- tion obtained by the receiver’s public key and the ran- strictions on business scenarios and requires additional dom parameter generated by the sender. In traditional modifications to the underlying protocol. The common digital currency, the content of the transaction output solutions include as the followings. address is the receiver’s public key and address informa- • Lightning and Raiden Networks. The lightning tion, and the observer can directly determine the coins’ network [58] enables secure out-of-chain transactions. In destination. the , the majority of the transaction 5.2.2 Eclipse Attacks Protection details between the users are implemented offline. Only the first and the last transactions must be recorded on Some researchers proposed several methods to solve the blockchain ledger; therefore, it can effectively pro- the eclipse attack as follows. tect the transaction privacy. The Raiden network○26 is • Restricting Access. The network node must be a micropayment channel solution proposed by the Eth- authenticated. This method can effectively prevent ernet. It is directly based on the lightning network and the incoming and outgoing links of the node such has been developed. No specific field restrictions on the that the malicious node cannot access the blockchain message format of the Ethernet have node [34, 47, 59]○27 . However, the approach will change the been cited; thus, Raiden can introduce a single incre- operational architecture of the blockchain. ment number for the channel balance snapshot, which • Detecting and Blocking Malicious Nodes. The solves the problem of identification and invalidation of blockchain uses a malicious node detection mechanism. the old version snapshot. Dillon○28 proposed an effective scheme for detecting ma- • Consortium and Private Blockchain. Traditional licious nodes and added malicious nodes to the black- blockchain applications are mostly public list, thereby limiting its further damage. such as Bitcoin and Ethernet. In the public blockchain application, anyone is free to be a member of the 5.3 Data Consistency Protection blockchain network. The maintenance of the trans- 5.3.1 Double-Spending Attacks Protection action data makes the public blockchain application highly credible; however, it brings the threat of iden- Karame et al. [39] analyzed that the current detec- tity and data privacy. Accordingly, the blockchain tion mode uses a “listening period” which refers to the technology produces a branch of consortium and pri- receiver detecting a collection of transactions after this vate blockchain to better protect privacy. Read and period to determine whether or not double spending ex- write permissions are open to nodes in the consortium ists. The problem with this approach is that attackers blockchain, while read and write permissions are open may delay the transmission because the neighbor node

○26 Jehan T, Zack H. Universal payment channels. https://altheamesh.com/documents/universal-payment-channels.pdf, Apr. 2019. ○27 Andrew M. Discovering bitcoin’s public topology and influential nodes. http://cs.umd.edu/projects/coinscope/coinscope.pdf, Apr. 2019. ○28 Dillon J. Bitcoin-development mailinglist: Protecting bitcoin against network-wide DoS attack. http://sourceforge.net/p/bitc- oin/mailman/message/31168096, Apr. 2019. 858 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4 will not broadcast the detected double-spending. Thus, ious parameters of the PoW consensus mechanism and the neighbor node cannot detect the double spending designed the best countermeasures for double spending attacks even after the listening period. The fewer the and selfish mining. neighbor nodes of the receiving node, the higher the success rate of this attack. Another method is to insert 6 Future Research Directions observers into the network, which immediately notifies The data security issues of bitcoin are crucial to the the receiver that double spending has been detected. future development of bitcoin and blockchain. We pro- Only three observers can effectively detect the dou- pose several future research directions by understand- ble spending attacks but this requires additional costs. ing and thinking of the research results of many schol- This study proposed a mechanism to improve the trans- ars. actions’ forwarding function, which is to forward to the neighbor node when a double spending attack is de- 6.1 Data Privacy Protection Mechanism Based tected. The detection rate of this mechanism is 100% on a Cryptology Algorithm with a false negative rate of 0%. An effective privacy protection scheme aims to pre- Ruffing et al. [60] designed a smart contract that al- vent an attacker from performing a data analysis on the lows payees to asynchronously receive payments and blockchain. However, this type of schemes will change impose penalties on double-spending attackers. Miguel 29 the underlying architecture of the blockchain, which is and Barbara○ proposed a new Byzantine consensus not conducive for use in the application. Therefore, a mechanism that shortens the trading time by 15 s–20 s scheme with high versatility must be designed. The and used collective signatures to make transactions ir- solution should consider the computing and storage ca- reversible. Danezis and Meiklejohn [61] proposed a new pabilities of the blockchain nodes. decentralized cryptocurrency, called RSCoin, in which In the public blockchain, sensitive information, such the central bank maintains complete control over the as transaction data, address, and identity, must be coin supply to prevent double spending. protected while allowing the accounting node to ve- 5.3.2 Mining Attacks Protection rify the legality of the transaction. For the consor- Miners attack each other during mining to reduce tium blockchain, regulatory and authorization tracking the other parties or overall benefits. Yang et al. [62] pro- should be considered when building privacy protection posed the establishment of a game model between two schemes. Efficient zero-knowledge proof, commitment, miners to improve the profit of miners through game evidence indistinguishability, and other cryptographic strategies. Regardless of the selfish miner’s strategy, primitives and schemes to achieve transaction identity when a loyal miner employs a pinning strategy, it can and content privacy protection, such as zk-snark in unilaterally set the payoff of a selfish miner within the Zcash, are used to achieve privacy protection mecha- range of zero to r/2−c (c is the computing power and r nism. Ring signature [65], group signature [66], and hier- is the expansion of profit). The selfish miner’s payoff is archical certificate mechanism [67] are optional schemes proportional to r but inversely proportional to c. The for privacy protection. For example, Monero uses the loyal miner cannot control his or her own payoff even ring signature scheme to achieve privacy protection, with any subclass of the zero-determinant strategy. while Hyperledger Fabric○30 uses the hierarchical cer- Miller et al. [63] proposed the mining mechanism, in tificate mechanism to achieve privacy protection. The which the members of the mining pool themselves do privacy protection of the transaction content can be not trust one another but submit a password certifi- achieved by adopting an efficient homomorphic encryp- cate to demonstrate the work they contributed. Shi [64] tion scheme or a secure multi-party computing scheme. changed the consensus mechanism of bitcoin, in which For example, Ripple○31 implements privacy protection the value of nonce is established according to certain of the transaction channel by adopting a secure multi- rules to ensure the continuous output rate of bitcoin. party computing scheme; moreover, we can use the The mechanism can improve dispersion and reduce the mixing-coin mechanism to achieve simple privacy pro- risk of 51% attack. Gervais et al. [22] analyzed the var- tection.

○29 Miguel C, Barbara L. Practical Byzantine fault tolerance. http://pmg.csail.mit.edu/papers/osdi99.pdf, Apr. 2019. ○30 https://www.hyperledger.org, Jun. 2020. ○31 https://ripple.com, Jun. 2020. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 859

6.2 Data Availability Promotion Scheme should consider different incentive mechanisms to give Based on Demand attackers less benefit. Moreover, Kiffer et al. [72] developed a method based The existing anonymous attacks are of low accu- on the Markov chain to analyze the consistency of racy and high cost. They do not have the conditions blockchain protocols. They used this method to analyze for a large-scale implementation; however, the secu- the relevant parameter settings of the consensus mecha- rity threats of the data availability are universal in the nism to ensure the consistency and resist delay attacks. blockchain, which uses P2P as the underlying proto- New consensus mechanisms will constantly emerge in col of the blockchain application, thus causing hidden the future, and the test method for consensus mecha- problems. In the future, we will focus on the appro- nisms is an important research content. priate access control policies to limit node access and malicious node detection mechanisms to prevent infor- 7 Conclusions mation leakage. In the consortium blockchain, different permissions The security of bitcoin is gradually being tested must be assigned to different nodes to meet certain with its development. The problems related to secu- regulatory requirements. Therefore, a secure and ef- rity pose a serious threat to both bitcoin and other ficient identity authentication and permission mana- blockchain applications. In this survey, we created com- gement mechanism must be established. The authen- prehensive classification and summary of bitcoin secu- tication mechanism based on the biometric recognition rity. Firstly, we presented the knowledge of bitcoin technology or efficient authentication scheme combin- and the classification of bitcoin attacks. Subsequently, ing the biometric and cryptographic technologies can we discussed the attacks and defenses of bitcoin data be adopted. An efficient and practical identity- or in terms of privacy, availability, and consistency. The attribution-based encryption scheme can be adopted to data privacy attacks present threats of transaction and achieve fine-grained access control or permission mana- identity privacy; the data availability attacks present gement of nodes or users. threats brought by network traceability and eclipse at- Designing a blockchain system in the data network tacks; and the data consistency attacks present threats and implementing it on the cluster can simplify the sys- brought by double-spending, selfish mining, and block tem architecture, improve the weak connection, and re- withholding attacks. The data privacy attacks can be duce the broadcast overhead, which is a future research protected by mixing transaction data, encrypting trans- direction. action data and restricting the release of transaction 6.3 Defenses Against PoW Attacks and New data. The data availability attacks can be protected Consensus Mechanism by detecting and shielding malicious nodes and using encrypted networks. The data consistency attacks can Bitcoin’s PoW consensus mechanism requires a very be protected by forwarding transaction data in a cer- strong computing power that has made mining by “nor- tain way and combining various consensus mechanisms. mal users” impractical. The collusion of miners or Finally, we provided several open research issues and mines is very aggressive. An important research topic provided some suggestions for improving blockchain se- is about methods to prevent the collusion of miners or curity. mines. The consensus mechanism needs to improve the robustness, i.e., fault tolerance. The ability of the mali- References cious node must be improved. Efficiency is very impor- tant in the consensus mechanism. Mining and transac- [1] Antonopoulos A M. Mastering Bitcoin: Unlocking Digital tion confirmation time must be continuously improved. Crypto-Currencies (1st edition). O’Reilly Media, 2014. Furthermore, the security of the theoretical model of [2] Pilkington M. Blockchain technology: Principles and appli- cations. In Research Handbook on Digital Transformations, the consensus mechanism must be strengthened. Olleros F X, Zhegu M (eds.), Edward Elgar Publishing, [68]○32 [69] The , proof of personhood , 2016, pp.225–253. [70] [71] memory intensive , and consensus consortium [3] Shen M, Tang X, Zhu L, Du X, Guizani M. Privacy- are valued by many scholars. Consensus mechanisms preserving support vector machine training over blockchain-

○32 Sunny K, Scott N. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. https://peercoin.net/assets/paper/peercoin-paper- nl.pdf, Apr. 2019. 860 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4

based encrypted IoT data in smart cities. IEEE Internet of [20] Conti M, Kumar E S, Lal C, Ruj S. A survey on security Things Journal, 2019, 6(5): 7702-7712. and privacy issues of Bitcoin. IEEE Communications Sur- [4] Patel D, Bothra J, Patel V. Blockchain exhumed. In Proc. veys & Tutorials, 2018, 20(4): 3416-3452. the 2017 Asia Security and Privacy, January 2017, Article [21] Li X, Jiang P, Chen T, Luo H, Wen Q. A survey on No. 15. the security of blockchain systems. arXiv:1802.06993, 2018. [5] Shen M, Ma B, Zhu L, Mijumbi R, Du X, Hu J. Cloud-based http://arxiv.org/abs/1802.06993, Oct. 2019. approximate constrained shortest distance queries over en- [22] Gervais A, Karame G O, Karl W¨ust, Glykantzis V, Ritzdorf crypted graphs with privacy protection. IEEE Trans. In- H, Capkun S. On the security and performance of proof of formation Forensics and Security, 2018, 13(4): 940-953. work blockchains. In Proc. the 2016 ACM SIGSAC Confe- [6] Shen M, Deng Y, Zhu L, Du X, Guizani N. Privacy- rence, October 2016, pp.3-16. preserving image retrieval for medical IoT systems: A [23] Yuan Y, Wang F. Blockchain: The state of the art and fu- blockchain-based approach. IEEE Network, 2019, 33(5): ture trends. Acta Automatica Sinica, 2016, 42(4): 481-494. 27-33. (in Chinese) [7] Shen M, Wei M, Zhu L, Wang M. Classification of encrypted [24] Liao K, Zhao Z, Doup´eA, Ahn G. Behind closed doors: traffic with second-order Markov chains and application at- Measurement and analysis of CryptoLocker ransoms in Bit- tribute bigrams. IEEE Trans. Information Forensics and coin. In Proc. the 2016 APWG Symposium on Electronic Security, 2017, 12(8): 1830-1843. Crime Research, June 2016, pp.1-13. [8] Zhao H, Li X F, Zhan L K, Wu Z H. Data integrity pro- tection method for microorganism sampling robots based [25] Ron D, Shamir A. Quantitative analysis of the full Bitcoin on blockchain technology. Journal of Huazhong University transaction graph. In Proc. the 17th Int. Financial Cryp- of Science and Technology, 2015, 43(S1): 216-219. (in Chi- tography and Data Security, April 2013, pp.6-24. nese) [26] Androulaki E, Karame G O, Roeschlin M, Scherer T, Cap- [9] Zheng B, Zhu L, Shen M, Gao F, Zhang C, Li Y, Yang kun S. Evaluating user privacy in Bitcoin. In Proc. the 17th J. Scalable and privacy-preserving data sharing based on International Conference on Financial Cryptography and blockchain. J. Comput. Sci. Technol., 2018, 33(3): 557-567. Data Security, April 2013, pp.34-51. [10] White G, Brown K. Future applications of blockchain: To- [27] Monaco J V. Identifying Bitcoin users by transaction beha- ward a value-based society. In Proc. INCITE Conference, vior. In Proc. SPIE Biometric and Surveillance Technology October 2016, pp.290-301. for Human and Activity Identification XII, May 2015, Ar- [11] Shen M, Ma B, Zhu L, Du X, Xu K. Secure phrase search for ticle No. 945704. intelligent processing of encrypted data in cloud-based IoT. [28] Meiklejohn S, Pomarole M, Jordan G, Levchenko K, Mc- IEEE Internet of Things Journal, 2019, 6(2): 1998-2008. Coy D, Voelker G M, Savage S. A fistful of Bitcoins: [12] Reid F, Harrigan M. An analysis of anonymity in the Characterizing payments among men with no names. In Bitcoin system. In Proc. the 3rd Int. IEEE International Proc. the 2013 Internet Measurement Conference, October Conference on Social Computing, October 2011, pp.1318- 2013, pp.127-140. 1326. [29] Zhao C, Guan Y. A graph-based investigation of Bitcoin [13] Koshy D, Koshy P, Mcdaniel P. An analysis of anonymity transactions. In Proc. the 11th Int. IFIP WG 11.9 Inter- in Bitcoin using P2P network traffic. In Proc. the 18th Int. national Conference on Digital Forensics, January 2015, Financial Cryptography and Data Security, March 2014, pp.79-95. pp.469-485. [30] Zheng B, Zhu L, Shen M, Du X, Guizani M. Identifying [14] Biryukov A, Khovratovich D, Pustogarov I. Deanonymisa- the vulnerabilities of bitcoin anonymous mechanism based tion of clients in Bitcoin P2P network. In Proc. the 21st on address clustering. SCIENCE CHINA Information Sci- Int. Conference on Computer and Communications Secu- ences, 2020, 63(3): Article No. 132101. rity, November 2014, pp.15-29. [31] Garay J, Kiayias A, Leonardos N. The Bitcoin backbone [15] Lear B. Theoretical Bitcoin attacks with less than half of protocol with chains of variable difficulty. In Proc. the 37th the computational power (draft). arXiv: 1312.7013, 2013. Annual International Cryptology Conference, August 2017, http://arxiv.org/abs/1312.7013, Apr. 2019. pp.291-323. [16] Bag S, Ruj S, Sakurai K. Bitcoin block withholding attack: [32] Bonneau J, Miller A, Clark J, Narayanan A, Kroll J A, Analysis and mitigation. IEEE Transactions on Informa- Felten E W. SoK: Research perspectives and challenges for tion Forensics & Security, 2017, 12(8): 1967-1978. bitcoin and cryptocurrencies. In Proc. the 2015 IEEE Sym- [17] Eyal I, Sirer E G. Majority is not enough: Bitcoin mining posium on Security and Privacy, May 2015, pp.104-121. is vulnerable. In Proc. the 18th International Conference on Financial Cryptography & Data Security, March 2014, [33] Zohar A. Bitcoin: Under the hood. Communications of the pp.436-454. ACM, 2015, 58(9): 104-113. [18] Rosenfeld M. Analysis of Bitcoin pooled mining re- [34] Heilman E, Kendler A, Zohar A, Goldberg S. Eclipse at- ward systems. arXiv: 1112.4980, 2011. https://arxiv.or- tacks on Bitcoin’s peer-to-peer network. In Proc. the 24th g/pdf/1112.4980, Oct. 2019. USENIX Security Symposium, August 2015, pp.129-144. [19] Saad M, Spaulding J, Njilla L, Kamhoua C, Shetty [35] Singh A, Ngan T, Druschel P, Wallach D S. Eclipse attacks S, Nyang D, Mohaisen A. Exploring the attack surface on overlay networks: Threats and defenses. In Proc. the of Blockchain: A systematic overview. arXiv:1904.03487, 25th IEEE International Conference on Computer Com- 2019. http://arxiv.org/abs/1904.03487, Oct. 2019. munications, April 2006. Lie-Huang Zhu et al.: Data Security and Privacy in Bitcoin System: A Survey 861

[36] Vasek M, Thornton M, Moore T. Empirical analysis of [52] Ruffing T, Moreno-Sanchez P, Kate A. CoinShuffle: Practi- denial-of-service attacks in the bitcoin ecosystem. In Proc. cal decentralized coin mixing for Bitcoin. In Proc. the 19th the 14th International Conference on Financial Cryptogra- European Symposium on Research in Computer Security, phy & Data Security, March 2014, pp.57-71. September 2014, pp.345-364. [37] Asokan N, Janson P A, Steiner M, Waidner M. The state of [53] Bissias G, Ozisik A P, Levine B N, Liberatore M. Sybil- the art in electronic payment systems. Advances in Compu- resistant mixing for Bitcoin. In Proc. the 13th Int. Work- ters, 2000, 53: 425-449. shop on Privacy in the Electronic Society, November 2014, [38] Everaere P, Simplot-Ryl I, Traor´eI. Double spending pro- pp.149-158. tection for e-cash based on risk management. In Proc. the [54] Ziegeldorf J H, Grossmann F, Henze M, Inden N, Wehrle K. 13th Int. Conference on Information Security, October CoinParty: Secure multi-party mixing of Bitcoins. In Proc. 2010, pp.394-408. the 5th ACM Conference on Data and Application Security [39] Karame G O, Androulaki E, Capkun S. Double-spending and Privacy, March 2015, pp.75-86. fast payments in Bitcoin. In Proc. ACM Conference on [55] Ben-Sasson E, Chiesa A, Garman C, Green M, Miers I, Computer and Communications Security, October 2012, Tromer E, Virza M. Zerocash: Decentralized anonymous pp.906-917. payments from Bitcoin. In Proc. the 2014 IEEE Sympo- [40] Pinz´on C, Rocha C. Double-spend attack models with time sium on Security and Privacy, May 2014, pp.459-474. advantange for Bitcoin. Electronic Notes in Theoretical [56] Miers I, Garman C, Green M, Rubin A D. Zerocoin: Anony- Computer Science, 2016, 329: 79-103. mous distributed e-cash from Bitcoin. In Proc. the 2013 [41] Courtois N T, Bahack L. On subversive miner strategies IEEE Symposium on Security and Privacy, May 2013, and block withholding attack in Bitcoin digital currency. pp.397-411. arXiv:1402.1718, 2014. https://arxiv.org/abs/1402.1718, Apr. 2019. [57] Ben-Sasson E, Chiesa A, Genkin D, Tromer E, Virza M. SNARKs for C: Verifying program executions succinctly [42] Sapirshtein A, Sompolinsky Y, Zohar A. Optimal selfish and in zero knowledge. In Proc. the 33rd Annual Cryptology mining strategies in Bitcoin. In Proc. the 20th Int. Confe- rence on Financial Cryptography and Data Security, Febru- Conference, August 2013, pp.90-108. ary 2016, pp.515-532. [58] Poon J, Dryja T. The Bitcoin lightning network: Scalable [43] Nayak K, Kumar S, Miller A, Shi E. Stubborn mining: Gen- off-chain instant payments. http://lightning.network/light- eralizing selfish mining and combining with an eclipse at- ning-network-paper.pdf, Oct. 2019. tack. In Proc. the 2016 IEEE European Symposium on Se- [59] Dingledine R, Hopper N, Kadianakis G, Mathewson N. One curity and Privacy, March 2016, pp.305-320. fast guard for life (or 9 months). In Proc. the 7th Int. Work- [44] Carlsten M, Kalodner H, Weinberg S M, Narayanan A. On shop on Hot Topics in Privacy Enhancing Technologies, the instability of Bitcoin without the block reward. In Proc. July 2014. the 2016 ACM SIGSAC Conference on Computer & Com- [60] Ruffing T, Kate A, Schr¨oder D. Liar, liar, coins on fire!: Pe- munications Security, October 2016, pp.154-167. nalizing equivocation by loss of Bitcoins. In Proc. the 22nd [45] Eyal I. The miner’s dilemma. In Proc. the 2015 IEEE Sym- ACM SIGSAC Conference on Computer & Communica- posium on Security and Privacy, May 2015, pp.89-103. tions Security, October 2015, pp.219-230. [46] Kwon Y, Kim D, Son Y, Vasserman E Y, Kim Y. Be selfish [61] Danezis G, Meiklejohn S. Centrally banked cryptocurren- and avoid dilemmas: Fork after withholding (FAW) attacks cies. In Proc. the 23rd Int. Annual Network and Distributed on Bitcoin. In Proc. the 24th ACM SIGSAC Conference System Security Symposium, February 2016. on Computer and Communications Security, October 2017, [62] Yang Z, Miao Y, Chen Z Y, Tang C B, Chen X. pp.195-209. Zero-determinant Strategy for the Algorithm optimize of [47] Biryukov A, Pustogarov I. Bitcoin over Tor isn’t a good Blockchain PoW Consensus. In Proc. the 37th Int. Chinese idea. In Proc. the 2015 IEEE Symposium on Security and Control Conference, July 2017, pp.1441-1446. Privacy, May 2015, pp.122-134. [63] Miller A, Kosba A, Katz J, Shi E. Nonoutsourceable [48] Chaum D. Untraceable electronic mail, return addresses, scratch-off puzzles to discourage Bitcoin mining coalitions. and digital pseudonyms. Commun. ACM, 1981, 24(2): 84- In Proc. the 22nd ACM SIGSAC Conference on Computer 88. and Communications Security, October 2015, pp.680-691. [49] Bonneau J, Narayanan A, Miller A, Clark J, Kroll J A, [64] Shi N. A new proof-of-work mechanism for Bitcoin. Finan- Felten E W. Mixcoin: Anonymity for Bitcoin with account- cial Innovation, 2016, 2(1): Article No. 31. able mixes. In Proc. the 18th International Conference on Financial Cryptography and Data Security, March 2014, [65] Fujisaki E, Suzuki K. Traceable ring signature. In Proc. the pp.486-504. 10th Int. Conf. Practice and Theory in Public-Key Cryp- [50] Valenta L, Rowan B. Blindcoin: Blinded, accountable mixes tography., April 2007, pp.181-200. for Bitcoin. In Proc. the 2015 Financial Cryptography and [66] Chaum D, Heyst E V. Group Signatures. In Proc. Work- Data Security, January 2015, pp.112-126. shop on the Theory and Application of Cryptographic Tech- [51] Chun Q, Tu S, Yu J. A blind-mixing scheme for Bit- niques, April 1991, pp.257-265. coin based on an elliptic curve cryptography blind dig- [67] Xu H L, Lu Y. Hierarchical certificate-based encryption: ital signature algorithm. arXiv: abs/1510.05833, 2015. Definition and an efficient construction. Applied Mechanics http://arxiv.org/abs/1510.05833, Apr. 2019. & Materials, 2014, (513-517): 1971-1974. 862 J. Comput. Sci. & Technol., July 2020, Vol.35, No.4

[68] Badertscher C, Gazi P, Kiayias A, Russell A, Zikas V. Meng Shen received his B.Eng. Ouroboros genesis: Composable proof-of-stake blockchains degree in computer science from Shan- with dynamic availability. In Proc. the 25th ACM SIGSAC dong University, Jinan, in 2009, and Conference on Computer and Communications Security, October 2018, pp.913-930. his Ph.D. degree in computer science [69] Ford B, Strauss J. An offline foundation for online account- from Tsinghua University, Beijing, in able pseudonyms. In Proc. the 1st Workshop on Social Net- 2014. He is currently an assistant work Systems, April 2008, pp.31-36. professor at the School of Computer [70] Ateniese G, Bonacina I, Faonio A, Galesi N. Proofs of space: Science and Technology, Beijing In- When space is of the essence. In Proc. the 9th Int. Conf. on stitute of Technology, Beijing. His research interests Security and Cryptography for Networks, September 2014, include privacy protection of cloud-based services, network pp.538-557. virtualization, and traffic engineering. He was a recipient [71] Yu H, Gibbons P B, Kaminsky M, Xiao F. SybilLimit: A near-optimal social network defense against sybil attacks. of the Best Paper Runner-Up Award at IEEE IPCCC 2014. IEEE/ACM Trans. Netw., 2010, 18(3): 885-898. [72] Kiffer L, Rajaraman R, Shelat A. A better method to Feng Gao received his B.Eng. degree analyze blockchain consistency. In Proc. the 25th ACM and Ph.D. degree in computer science SIGSAC Conference on Computer and Communications Security, October 2018, pp.729-744. from the School of Computer Science and Technology, Beijing Institute of Lie-Huang Zhu received his Ph.D. Technology, Beijing, in 2010 and 2018, degree in computer science from Beijing respectively. His research interests Institute of Technology, Beijing, in 2004. include data privacy, blockchain, and He is currently a professor at the School smart grid. of Computer Science and Technology, Beijing Institute of Technology, Beijing. Hong-Yu Li received his B.Eng. His research interests include security degree and M.S. degree in computer protocol analysis and design, group key science from the School of Computer exchange protocols, wireless sensor networks, and cloud Science and Technology, Beijing Insti- computing. tute of Technology, Beijing, in 2017 and 2019, respectively. His research Bao-Kun Zheng received his M.S. interests include blockchain, distributed degree in computer science from the systems and architectures, information School of Information, Renmin Uni- security, and data mining. versity of China, Beijing, in 2010. He is currently a Ph.D. candidate Ke-Xin Shi received her B.Eng. at the School of Computer Science degree in computer science from the and Technology, Beijing Institute of School of Computer Science and Engi- Technology, Beijing, and an associate neering, Hebei University of Technology, professor at the School of Information Management for Tianjin, in 2017. She is currently a Law, China University of Political Science and Law, M.S. candidate at the School of Com- Beijing. His research interests include blockchain, network puter Science and Technology, Beijing and information security. Institute of Technology, Beijing. Her research interests include blockchain, and smart contracts.